Ecuador is on the cusp of having its first data protection law. The Data Protection Bill is currently being debated in Congress and follows the European regulatory standard.

Data protection has not been a priority in the Ecuadorian legal system. Even though the Constitution recognizes the right of data protection and the constitutional guarantee of habeas data, there has not been a specific law created regarding the scope and obligations for data protection.

Instead, data protection legislation is scattered throughout a number of laws, including the Telecommunication Law, E-Commerce Law, Criminal Law, and the Financial and Monetary Law. Data protection is limited to the scope and objectives within those laws.

Two significant circumstances demonstrated the need for a data protection law. The first occurred in September 2019, when a data breach affecting nearly all Ecuadorian citizens exemplified the necessity of a comprehensive data protection law. Personal information, including phone numbers, ID, work records and domicile addresses, was stored in servers outside Ecuador without the data subject's authorization. The lack of a data protection law recognizing fines or a data protection authority enabled Ecuadorian authorities to take immediate action. The prosecutor's office is currently investigating a possible criminal action regarding the breach.

The second circumstance corresponds to the evolution of data protection laws in different countries. The EU General Data Protection Regulation and other data protection laws worldwide limit the possibility of international data transfer, and Ecuador cannot comply with the additional data protection laws and obligations also required.

The Data Protection Bill was submitted to Congress by President Lenin Moreno in September 2019. The International Relations Commission oversaw analyzing and preparing the bill for the first debate in Congress. Subsequently, the committee is preparing the report for the second debate of the bill for Congress.

The bill contains 76 articles and 12 chapters. Critical aspects of the bill are discussed below.

Extraterritorial scope

Processors and controllers located outside of Ecuador that offer goods and services to Ecuadorian residents must comply with the bill's obligations. Nevertheless, it does not oblige processors and controllers to have any representative in the country that will comply with the different obligations recognized in the bill.

Data protection principles

The bill recognizes many of the data protection principles accepted worldwide, such as purpose limitations, transparency, confidentiality, limited retention, accountability and data accuracy established guidelines, and obligations for the data processors and controllers. 

Lawful basis for the processing of personal data

Currently, the Ecuadorian legal system recognizes consent and compliance of a legal obligation as a lawful basis. The bill provides additional obligations, such as legitimate interest, compliance of contractual and pre-contractual obligations, protection of vital interests, the processing of data stored in public databases, and exercise tasks carried out in the public interest or exercise of public attributions. 

New data subjects rights

The bill recognizes new data subject rights, including the right to information, right to access, right to rectification, right to deletion, right of cancellation, right to object, right not to be subject to a decision based solely on automated processing, right to portability and the right to be forgotten. The bill also recognizes exceptions for applying the rights to rectification, deletion, cancellation and object. These exceptions are related to the lawfulness of the treatment. Moreover, the right to be forgotten applies only to digital content. The enforcement of the right to be forgotten requires approval from a judge. It is unclear how the data subject should initiate their claim to the right to be forgotten.

Special categories of data

Sensible data, data concerning health, financial data and minors' data are considered special categories of personal data. Explicit consent is required to process this type of data. Moreover, both health and financial data will additionally be regulated by specific laws.

Security measures

The bill establishes different obligations regarding the security measures that processors and controllers must implement. They must ensure the confidentiality, integrity and availability of personal data. They must also adopt technical measures according to the volume and type of data processed. The implementation of risk analysis and privacy by design and data protection impact assessment is key for developing a business. Furthermore, the bill establishes a notification obligation in cases of breaches or leaks. In the mentioned scenario, the data controller must notify the data authority and the data subjects in specific cases.

DPO

The data controller and processor must have a data protection officer, depending on the purpose, scope and quantity of data that is being processed. Regarding public authorities, they must all have a DPO. The DPO will cooperate with the data protection authority and be the contact point with the data subjects. 

International data transfer

International data transfer will be allowed to third countries and territories that ensure an adequate level of protection. The DPA will have a list of the countries and territories with an adequate level of protection. In case the DPA determines a certain country does not have an adequate level of protection, then the processor and/or the controller may provide appropriate safeguards in exchange. The bill establishes the requirements and conditions for the safeguards.

DPA

The bill creates the Data Protection Superintendence as the new DPA. The Superintendence is an autonomous institution. The Superintendent will be appointed according to the procedure established in the Constitution. 

Sanctions and liabilities

The bill establishes different infringements, either minor or major. The data processor and controller can be sanctioned between 3% to 17% of its annual revenue from the precedent year. 

The sanction will depend on the intention (of the controller and processor), recurrence, the gravity of the infringement and others. The DPA will impose the sanction after an administrative procedure takes place. The DPA may impose corrective measures on the processor and controller. 

It is expected that the Data Protection Bill will be enacted this year. This bill will completely change the processing of personal data in Ecuador, which is why the preparation for the execution of its essential.

Photo by Alejandro Alfaro M on Unsplash